search

seacms-net / CMS

海洋cms程序发布
https://www.seacms.net
381 stars 27 forks source link

Unauthenticated SQL Injection in SeaCMS v12.9 #15

Open Hebing123 opened 8 months ago

Hebing123 commented 8 months ago

Summary

SeaCMS v12.9 suffers from an unauthenticated SQL injection vulnerability in the dmku/index.php file where user-supplied data is used directly in an SQL query without proper sanitization.

Detail

The following code demonstrates the misuse of the id parameter: https://github.com/HuaQiPro/seacms/blob/ffa00178c7bf966b6bed7109ca76c270eadfeb70/js/player/dmplayer/dmku/class/mysqli.class.php#L287-L305 image It is clearly spliced directly into the SQL statement without filtering. image

Proof of Concept (PoC)

http(s)://ip:port//js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(10)))v)&type=list image http(s)://ip:port//js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(15)))v)&type=list image

Impact

This vulnerability allows unauthenticated remote attackers to inject arbitrary SQL commands through the id parameter.

Hebing123 commented 6 months ago

This is the vulnerability exploitation reference for CVE-2024-29275